If cybercrime were a global economy, it would rank third after the United States and China, generating an estimated £10 trillion (A$19.6 trillion) annually. Behind these attacks are sophisticated criminal enterprises, often operating from vast complexes in emerging markets where teams of hackers target vulnerabilities in corporate defences, Matt Bushby, CEO of the Macquarie University Cyber Skills Academy, cautions.
“Where is all the sensitive data stored? It’s with the accountants,” Bushby says. “They’re at the forefront of cyber crime, yet many don’t have the major defences or understanding of how to protect against it.”
Their methods are increasingly sophisticated, with cyber criminals often lurking undetected within compromised systems for months, monitoring activities and gathering intelligence before launching an attack.
They compile detailed profiles of potential victims, piecing together information from various data breaches such as passport and tax file numbers to build comprehensive dossiers for future attacks.
For accountants, the vulnerabilities extend into people’s homes for staff who work remotely. “Most attacks are happening in people’s homes,” Bushby says. “You might have excellent defences in your office environment through secure Wi-Fi, but with staff working remotely, that’s where the greatest risk lies.”
Accountants nonchalant about cybersecurity
The profession’s response to these threats has been mixed. Many practitioners remain nonchalant, relying on basic security measures provided by accounting software platforms. “We’ve heard horror stories of Xero or MYOB passwords being found inside Excel spreadsheets or in somebody’s notes on their computer,” he says. “These are the weak links that businesses haven’t thought through.”
Bushby says many cyber breaches are staff-related, highlighting the need for greater organisational security awareness. Simple password management and avoiding suspicious emails are no longer sufficient defences. Modern cybersecurity demands a trifecta of education, technology and robust governance frameworks.
“We teach people how to write accounts, we teach people how to cross the road safely, but we don’t do a good enough job teaching people how to be safe online,” Bushby says.
Beyond immediate financial losses, the reputational damage can undermine the viability of a practice, with clients quickly losing trust and looking elsewhere for an accountant.
Multi-pronged approach to tackle cyber crime
The solution requires a multi-faceted approach, according to Bushby. Firms need multi-factor authentication, regular security audits, comprehensive staff training programs and a culture of cybersecurity awareness.
“It’s not just about clicking on the incorrect email link,” Bushby says. “It’s about the sharing of data that you email out, conversations inside the office, laptop and physical security of your office environment. It’s about understanding the early signs of where a data breach might happen.”
When breaches do occur, responding with speed and expertise are crucial. Firms can’t simply “pull the plug from the wall” and hope for the best. Professional incident response support is essential, with small practices balancing security investments against operational costs. “We put passwords on the door to lock the office, but we don’t take the same approach with our online safety,” Bushby says.
More information on the IPA National Congress on 27-29 November, 2024 is available HERE.